This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to separate a trace file?

0

I have a large trace file of several GBs, but not all of traffic is needed. I would like to save the interesting traffic into a separate file in two ways:

  • filter out the interesting packets and save as a new file
  • multiselect the interesting packets and save as a new file

How to achieve that? thank you!

asked 26 Dec '13, 23:19

SteveZhou's gravatar image

SteveZhou
191273034
accept rate: 0%

3 Answers:

2

I have a large trace file of several GBs, but not all of traffic is needed.

to load a file of several GByte into Wireshark, you would need a system with a 64Bit OS and 'enough' RAM if want to avoid the known memory problem.

So, if you can load the capture file in Wireshark , you can filter the frames however you like (multi select via CRTL-M (mark) or via display filters) and then export those frames (File -> Export Specified Packets).

However if you cannot load the large capture file into Wireshark (crash due to memory problem), you need to reduce the size of the capture file,

  • either by splitting it into several smaller files (editcap)
  • or by extracting the 'interesting frames' from the large capture file.

The second option is the harder part, as extracting the 'interesting frames' can get tricky, as you can't use the power of Wiresharks display filters (as you can't load the file). You can try to filter the frames with tshark, however if Wireshark fails due to memory problems, tshark will almost certainly fail as well, as they both use the same dissection engine (hence they have nearly the same RAM usage).

Then the only option would be to use capture filters with a tool that is able to filter and write a new file based on those filters. On Windows I use SplitCap for that.

http://www.netresec.com/?page=SplitCap

On Linux you can use tcpdump

tcpdump -nr input.pcap -w output.pcap "host x.x.x.x and port yyy"

If that is good enough to filter 'interesting frames' depends on your definition of 'interesting frames'. If it is not good enough, you still have the option to split the large file into files (see editcap above), small enough to load it into Wireshark.

Regards
Kurt

answered 27 Dec '13, 05:41

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 27 Dec '13, 06:04

1

You can do that by using export specified packet. Open your file, apply your filter and then go to file->export specified packet. Save all displayed packet in a new file.

answered 27 Dec '13, 00:05

Afrim's gravatar image

Afrim
160101116
accept rate: 22%

1

If the file is too big to load into wireshark you can use tshark to filter on the desired traffic and write the output into a new file. The -Y allows you to filter all interesting packets.

tshark -Y "expert" -r t1_400k.pcap -w t1_400k.expert.pcapng

answered 27 Dec '13, 00:56

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%